You are seeing this because your blog was recently used as part of a DDOS attack against Trilema.

The way this works is that the attacker sends pingbacks to a long list of blogs. The blogs in question then load the indicated url to try and verify if the pingback is legitimate (ie, if the url of the pinged blog actually appears on page), resulting in massive traffic spikes for the victim.

This works because WordPress pingbacks are poorly implemented. A more solid implementation would verify if the pingback originates from the same IP as the site that supposedly sent it, and discard the request if there's a mismatch. The current implementation allows pingbacks to be sent by any arbitrary IP, and so allow a malicious user yet another DDOS vector.

Please do your part by fixing your pingbacks implementation. The easiest way would be to open the file xmlrpc.php found in the root directory of your blog installtion, and modify the part that says

// Let's check the remote site
// First, make sure we're not being used for DDoS!
if (gethostbyname(parse_url($pagelinkedfrom, PHP_URL_HOST))
<> $_SERVER['REMOTE_ADDR'])
die ("Sorry, you will have to send this from your blog's IP.");
$linea = wp_remote_fopen( $pagelinkedfrom );

This checks that the IP of the domain you think you've been pinged by and the IP of the client informing you were pinged match, and dies if they don't - rendering this particular DDoS avenue inoperable while maintaining all the pingback functionality you could possibily want.

Thanks for being part of the solution!

~ * ~ Notice over, back to the actual article ~ * ~

Being as I am the realisation of their idealized image of the self as well as the icon of the father they always wanted but never had plus that beloved older brother they had a nonsexual crush on, of course I’d hear from each and every wanna-be kid on the Internet. The self-avowed hacker, the grandiose expert, the pro-professional, the many plurious things a recent birth with no power, no knowledge and no importance tends to vacuously ascribe himself.

kakobrekla: Pasted per request; http://dpaste.com/0DQZB8W.txtimircea_popescu: So was BitBet actually down ?

kakobrekla: Well BitBet was sort of down and assbot suffered the most.Apocalyptic: Hard to tell if guy was serious or trolling.kakobrekla: I dont know, I saw ‘low orbit ion cannons cannons’ and got scared.mircea_popescu: Apocalyptic that’s the new generation. Sorta half-ass doing things and being “ironic” about them at the same time as a sort of multi-hedged insurance agaisnt the scary world. Can’t say he’s not tried. Can’t say he’s really tried, either. Can’t say he’s a faggot, not really, can’t say anything. Aderpynymous!

The complete file weighs in at 25 Mb. That’s 183`902 lines worth of (served!) requests for Trilema pages, sent by various WordPress blog installations. 95`651 of them include the “verifying pingback from 43.254.40.25″ line, 3`731 show a different IPii, the rest omit the source.iii All this happened from 02:34:37 -0400 to 2:55-ish, with a few stragglers all the way to 3:00.

Obviously this is not what “LOIC” means. Nevertheless, it’s perhaps a usable reflected DDOS attack. All you need is a host that’ll let you do it, WordPress is dumb enough to go for it, and now that you have the list…

Enjoy. Or fix it, whatever, I don’t care.

UPDATE, September 28th : Failure breeds insistence in the narcissistically wounded, so here we are again, doing the same thing only bigger this time. <sarcasm>Because that totally works, if you fail it’s not time to try a new tack, it’s time to try harder. The time to try a new tack is when you succeed. </sarcasm>

The splendiferous haxxor at that difficult age doesn’t think the foregoing should apply to him, of course, because he thinks he should get a say in what applies to him and what doesn’t, because that’s democraticfairnormalrapetriggersomgbbq or whateveriv, and so here we are.

This time there’s a grand total of 2`211`833 lines, more than ten times the size of the previous attempt. The complete list is here. Of some interest are the first five lines,

Obviously 50.62.208.39 knew what was about to happen seconds before it actually did. It’s an abused GoDaddy IP (which have, of course, been notified, and which, of course, still suck). The list of originating IPs (appearing after the “verifying pingback from” built-in header) is significantly shorter than last time.v This, coupled with the pathetic appeals to mercy proffered by the “hacker”, with the significant increase in the list of abused blogs and with the frequent repeats suggests perhaps that she’s running out of resources. Which is fine, and the first step towards embracing the slavery that’ll perhaps spit her out on the other side a complete being.

Good luck, Britni!

PS. If you don’t understand why this article figures in your pingback list, while your link isn’t in here : it’s because your blog has been abused to try and DDOS this blog, as you can verify by searching for your name in the attached gzips. Please consider hardening your WordPress installation so that this can’t be repeated in the future - as it currently stands I am immune to this because I am rich and powerful, but most bloggers out there are neither rich nor powerful and who knows how many you’ve squished so far, unknowingly ?

**** BEGIN LOGGING AT Wed Sep 24 14:27:34 2014
[14:27:34] fccccck Hetzner has good DDoS protection, but we have well lubricated cumboxes that will pierce the firewall
[14:30:25] fccccck I mean, layer 4.

APNIC reports 43.254.40.* owned by PEL-IN, who supposedly is “uniquely positioned to provide Spamfree”. I’ve notified them, seems somehow magically 100k+ fake pingback notifications managed to flow out of their network at the rate of >100 a second. Nothing suspicious there at all whatsoever, amirite. [↩]

And then, in a stroke reminiscent of matters discussed over at Cel mai adevarat in gangsta rap, ends up being the one in need of favours. Ain’t it funny how the world teenagers dream actually works ? [↩]

Most of them look like private IP addresses from AWS. Just forward whole mess to their abuse dept, other ISPs too if you can identify.

I got some annoying “fix it or we’ll shut it down” requests from AWS just because I ran shell service on it and some derp allegedy used it to probe some tight-assed ssh server. AWS even relayed how intense flood it was, like, 5 login attempts in 20 minutes.